Bug 18153 - Format string bug in ucd-snmp
Format string bug in ucd-snmp
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: ucd-snmp (Show other bugs)
7.0
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Crutcher Dunnavant
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-02 19:04 EDT by Chris Evans
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-03 13:56:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Evans 2000-10-02 19:04:39 EDT
Not particularly severe for various reasons;
- I'm not sure if you ship with syslogging enabled by default
- Even if you did, it might not be exploitable
- And you don't listen on the snmp network port by default anyway.

Still,
If we look at
ucd-snmp-4.1.2/snmplib/snmp_logging.c: snmp_log_string():
...
#if HAVE_SYSLOG_H
  if (do_syslogging) {
    syslog(priority, string);
  }
#endif
...
That syslog() call is mising "%s" as a second argument. Classic format
string bug.
Probably best to patch for the next release, but I doubt it warrants an
update unless you _do_ enable syslogging by default.
Check it out and update this bug if syslogged is enabled by default.
Comment 1 Daniel Roesen 2000-10-03 13:56:13 EDT
I think this is serious, even if default config is not exploitable.
Comment 2 Jeff Johnson 2000-10-12 11:22:08 EDT
Fixed in ucd-snmp-4.1.2-9.

Note You need to log in before you can comment on or make changes to this bug.